Menu

Support FireWebSSO

If you are interrested in supporting FireWebSSO and would like to contribute, you are
welcome to make a small donation through the
Donate link.
It will be be a great help to maintain online the public
server and it will be appreciated.

Is the FireWebSSO service opened ?

Not yet.

Only "private-beta-testing" is done currently. But we hope to open very soon the public-beta service.
It will be done when the FireWebSSO addon will be fully qualified for FireFox and SeaMonkey. The
SeaMonkey is not yet complete.

There are also light behaviour differences between Firefox version 2 and 3; features and corrections for FireWebSSO are mainly validated on Firefox 3.

Auto-submit failed

On some forms the auto-submit feature fails to submit the form.
This generaly appears on forms using advanced AJAX 'tricks'.
For some of them a correction may be possible, if the URL of the forms is public, submit it to the support forum.

You may disable the auto-submit feature for this form.
The fields will be filled and the submit button will be correctly identified.

A New Firefox window is not authenticated

After an authentication to the FireWebSSO service only one Firefox window is authenticated. You may open sites in new tabs of the current window, but if you open a new Firefox window, it won't be authenticated to the FireWebSSO service.

This is a technical and a security limitation, it avoids to auto-submit authentication to pop-up windows, only the main window is attached to the FireWebSSO service.

This limitation will be removed in a future version through an option.

This limitation is removed since version 0.9.9.0

I want to be sure that no clear information is sent

The server side is only a container, all the work is done by the FireWebSSO addon.
You can read the code or ask someone to do it for you. You can check that everything is encrypted with your private key before sending in an SSL connection.

Your Master Password is not sent to the server, a HASH (SHA-2) is sent instead. This HASH is used to validate the user account and then your private key encrypted with your Master Password is delivered to you. Your private key can only be decrypted using your Master Password, so only your navigator can use your private key. The private key is used to encrypt/decrypt any data sent/received to/from the server.

How strong should be my Master Password?

I you read the previous section, you understand that the security is based on the strengh of the password. So, stronger is better. A weak password is one that is easy to guess for other (malevolent) people or the tools they are using to guess this password. For example common words (secret, password, rabbit, etc.), nouns or dates related to you (your first or last name, your wife/girlfriend/husband/boyfriend/pet name, your birth date, etc.), and even too short combinations of characters (1234, foo, bar, etc.) are all very weak passwords. Here is an example of a strong password: "F1rst H0us3 0n S1lly K0n Str33t". It is quite long (30 characters), easy to memorize (try reading it as "first house on Silicon Street" with "1" instead of "i", "0" (zero) instead of "o", "3" instead of "e", caps on each word first letter, a stupid pun on "silicon" (silly con) and a voluntary spelling mistake on top of it ("kon" instead of "con")) and it was definitely not easy to guess (until we wrote it in this document, of course) because you DO NOT live in the first house on Silicon Street (which in turn might not exist at all).

Auto-submit failed after a bad password

To avoid authentication loops after a bad authentication, the auto-submit feature (when enabled), is disabled during the next 30 seconds. If you correct your password and retry an auto-submit in less than 30 seconds, the auto-submit will not be available.

The connection takes a long time

During the connection phase all the decryption is done by the navigator. It takes a long time if there is a large number
of sites.

All the encryption/decryption is done in javascript. We choose to implement every thing in Javascript and XUL
to avoid developping and porting a C/C++ library for each system. Another advantage is that all the code is
readeable, there is no binary (shared library) loaded into your navigator. The javascript code is clear and not
offuscated, if you feel concerned by security issues you can take a look at the code.

Only the connexion takes time, but navigating and issuing logins and passwords are seamless.

I lost my password !

You are dead, it is not possible to recover it. Mail us your login and we will completely delete your account. (We won't delete it for real, we will flag it as deleted, in case you remember your password one day).

Why is it not necessary to give an e-mail address during registration

Because we don't need it. We have no use of your e-mail address or other personal information, remember that there is no password recovery possible !

If you give your e-mail, you only receive from us messages about the FireWebSSO service (very rarely).

Anyway, the FireWebSSO connect page, will contain all the messages we need to send to you.

You will be able to add/change your mail address in the "My Account Profile" panel.

I reached the limit of 1000 sites!

This limit can be modified by the administrator of the FireWebSSO service. If you realy like the FireWebSSO service and want to be a power user, mail us your login to request less limitation.

I try to connect but I got an error message

Either your Master login/password is erroneous or your account is in the following states:

deleted : your account is being deleted after your requested it.
Your account is still recoverable for a while.

locked : your account is locked, it may occur during database migration or update.

banned : your account is banned from the service because we observed strange connections
or errors with your user account. Your account is still recoverable.

How is funded this project

This project is independent and receives no money except by donation
and thanks to the ads on the web pages.
We hope that the funds received let us cover the cost of the
public FireWebSSO server.

What is the status of the project and the server

The project is in Open-Beta phase, it means that anyone can register
to the FireWebSSO service, but the service may crash at any time.
(See the Licence Agreement during the Registration).

But the project and the server are quite stable. The server bandwidth
and power are limited but we have flexibility to increase it.
Nevertheless, the accounts number is currently limited to 40000 , to
avoid database overload.

We are working to increase the capacity of the server database.

Why the server sources/binaries are not available directly for download

Mainly because the sources are not ready for public release, i.e
there is no ./configure and the compilation dependencies are not
complete. The windows version is not fully stabilised, the database
is currently only sqlite and we want to support at least mysql or
any ODBC databases, the configuration tools and monitoring tools are
not finalized...

Future features of the extension are under development and
need some improvement on the server side, while maintaining compatibility
with previous features.

We don't want to release a software not usable easily and spend time in
supporting an incomplete version. We are focussed on the addon features.

The sources of the Firefox addon are available in the extension ;=).
The addon is fully written in XUL and Javascript to be OS independent.
(There is no C++ XPCOM dll.)

I would like to participate

We are looking for translators, currently English/French/Italian
are (or will be soon) available.

You can also use the "donate link" and participate to the project funding.

Who is the author of the project?

The author is Christophe Guionneau, he was already one of the
two original authors of TORCS
(The Open Race Car Simulator), years ago (no relation at all with
security).

How to remove FireWebSSO addon ?

In the Addons panel of Firefox or Seamonkey, just delete the addon.

Depending on the version of FireWebSSO you use, the builtin password manager could
be invalidated after the remove, then do the following actions:

Type "about:config" in the URL bar then accept the warning.

Then type "signon" in the filter fields.

Then take a look at "signon.rememberSignons" if it is set to "false" set it to "true".
And it should work.